Unit - IV – Vulnerability Assessment and Penetration Testing

4.1. Vulnerability Assessment lifecycle

The vulnerability management lifecycle is a process intended for organizations to
effectively identify, remediate, and confirm the elimination of network vulnerabilities in
a computer system.
This cyclical structure is not only designed for security professionals to address a
vulnerability from start to finish but can be applied to any vulnerability instance.
For reliable, continuous vulnerability management, following a lifecycle process is key to any
organization’s security program.

Step 1: Assess
The most straightforward way to find a vulnerability is to scan your network and to conduct
a vulnerability assessment.
These will help to discover misconfigurations or coding flaws that can be used to
compromise or exploit an application or system.
With these vulnerabilities now known, you can move on to the next step.
Step 2: Prioritize
Not every vulnerability is the same, meaning not every vulnerability requires the same
treatment.
The most critical vulnerabilities could include ones that are backlogged, not just newly
discovered ones.
To map out the severity levels facing your organization you can assign a risk scoring card or
matrix to prioritize which vulnerabilities to remediate.
Step 3: Action
Once you have prioritized your vulnerabilities you can begin addressing the ones at the top of
your list.
By implementing a patch management procedure, your security infrastructure or engineering
team will repair and test each vulnerability at a time.
These could be short-term or long-term fixes.
Step 4: Reassess
To ensure the reliability of patches and to keep updated on any irregularities or changes to the
vulnerability, it’s important to maintain continuous monitoring.
This monitoring phase of the vulnerability management lifecycle can be done either manually
with the aid of a security analyst, or more commonly now with the use of automated tools.
Once a reassessment has been made, teams can capture this information into a vulnerability
management report to document and leverage for continued use, as Step 5 explains.
Step 5: Improve
After all assessments and actions have been taken to eliminate a vulnerability, one of the most
important steps to impact the effectiveness of a vulnerability management program is to
perform a lookback or “lessons learned” exercise.
This approach helps management define what worked, and what did not, during the lifecycle
process.
Evaluating these results can determine long-term improvements and can be leveraged for
budgetary needs.
Frameworks For Vulnerability Management
Selecting a framework for your vulnerability management plan can provide a reference for
designing and implementing security mechanisms to help ensure vulnerabilities to your
organization are eliminated properly.
This assurance allows managers and leadership to intelligently manage their
organization’s security posture using risk-based vulnerability management.
Abiding by a vulnerability management framework also instills confidence in the
organization’s industry and establishes a strong reputation of proactive compliance, which
can lead to increased business.
NIST Vulnerability Management Framework
The National Institute of Standards and Technology (NIST) is within the U.S. Department of
Commerce is the gold standard when developing a vulnerability management program.
Related Article: Patch Management VS Vulnerability Management
As one of the key features of any vulnerability management lifecycle, patch management
supports a security team’s ability to effectively eliminate the vulnerabilities identified in their
systems.
With this detailed framework in hand, an organization can quickly and professionally take
action on remediation to continue the vulnerability management life cycle process.
Top Challenges With The Vulnerability Management Lifecycle
There are several challenges to implementing a vulnerability management lifecycle.
Many organizations simply don’t know where to start, let alone how to include the right
features to make a program operational and to ultimately bring value to the organization.
Understanding these challenges will help you to avoid them.
Resource Intensive
Traditional vulnerability management is accomplished by throwing bodies at the problem, but
quantity doesn’t mean quality.
It is far better that you have fewer employees that can perform at a higher capacity. To offset
the number of employees, organizations will typically attempt to supplement labor by
purchasing software and tools to take on more of the manual tasks.
While full-time employees (FTE) are usually the main cost to an organization, purchasing
unnecessary and difficult-to-use tools can also be very expensive.
This is not a sustainable or cost-effective solution.
Managed Security Service Providers (MSSPs) can help alleviate the challenge of Labor and
associated costs by outsourcing for precision and expert solutions.
Inefficient
Many IT and security teams are not always in sync.
Whether due to underfunding of budget, overstretched team capacity, or general lack of
vision, a vulnerability management program can suffer exponentially.
When processes and ownership of responsibilities are not always clear and become neglected,
a vulnerability can slip through the cracks and open an organization to exposure.
Likewise, a poorly run vulnerability management program can show stakeholders a failed
return on investment and may cause a further decrease in staff and budget.
Another critical challenge facing organizations today includes Managed Service Providers
(MSPs) who own an organization’s vulnerability management.
Many of these providers are not experts and will often leave companies more vulnerable
and for longer periods.
Time Consuming
One of the most stressful aspects of an ineffective vulnerability management program is the
amount of time it takes to remediate a vulnerability and to carry out other vulnerability
management processes.
From identification to prioritization, and then remediation, the mean time to patch high
or critical vulnerabilities is estimated to be 60 days on average.
This of course not only takes away from other work but adds to an increase in labor,
additional tooling, and an overall increase in costs.
With so much time spent focused on manual tasks this also leads to greater chances of human
error and potential points of exposure that can result in damage to the organization.

4.2. Vulnerability Assessment Tools

In information technology, a vulnerability evaluation is the systematic analysis of security
vulnerabilities. It examines if the system is vulnerable to any security vulnerabilities, defines
severity levels to such vulnerabilities, and, if and whenever appropriate, recommends
abatement or mitigation.
In any device that fixes possible vulnerabilities, vulnerability testing or vulnerability
evaluation is a systematic method of discovering security loopholes.
Here, we have some examples of threats that vulnerability assessment can eliminate are:
1. SQL injection, XSS or other attacks with code injection.
2. Privilege escalation is caused by faulty user authentication.
3. Unprotected defaults, such as a discoverable admin password, are applications that
arrive with vulnerable configurations.
Purpose of Vulnerability Assessment
The objective of vulnerability analysis is to prohibit unauthorized access to an information
system from being possible. The confidentiality, credibility, and availability of the system are
protected by vulnerability checking. The method extends to all machines, networks, network
devices, apps, cloud computing, web applications, etc.
Categories of Vulnerability Scanner
Scanners of vulnerabilities contain their methods of working. Based on how they work, we
can categorize the vulnerability scanners into three categories. They are defined below.
1. Vulnerability Scanner based on Host
It is used on a dedicated server or machine to identify vulnerabilities such as an individual
computer or a local network such as a connection or core-router
Analysis of sensitive systems which, if not adequately tested or not created from a validated
device image, can be susceptible to the attacks.
2. Vulnerability Scanner based on Cloud
It is used inside cloud-based frameworks such as enterprise applications, WordPress, and
Joomla to identify vulnerabilities.
Detection of privacy risks in web applications and their encryption keys by means of robotic
front-end or static/dynamic system software reviews are scanned.
3. Vulnerability Scanner based on Database
This type of vulnerability scanner used for identifying bugs in applications for database
management. Databases are the foundation of every confidential information processing
system. To avoid attacks like SQL Injection, vulnerability scanning is implemented on
database management systems.
Analysis of vulnerabilities and configuration issues of databases or big data systems,
detection of unauthorized databases or vulnerable dev/test settings, and classification of
sensitive data across the infrastructure of an enterprise is analyzed.
4. Vulnerability Scanner based on Network
This type of vulnerability scanner is used when you're searching for open ports to identify
vulnerabilities in a local network. With the support of the method, services running on open
ports decide whether or not vulnerabilities occur.
Evaluation of policies and procedures aimed at preventing unauthorized access to private or
public networks and services available by the network.
Vulnerability Assessment Tools
Vulnerability assessment tools lead to multiple methods of detecting vulnerabilities in
application domains. Vulnerability tools for code analysis analyze coding glitches.
Excellently-known rootkits, backdoors, and Trojan Horses can be discovered in audit
vulnerability toolkits.
In the industry, there are several vulnerability scanners obtainable. They can be freely
accessible, charged, or open-source. On GitHub, many free and open-source tools have been
developed. Choosing which tool to use depends on a variety of variables, such as the category
of security vulnerabilities, the cost estimate, how often the tool is modified, etc.
Here, we have discussed some of the best vulnerability scanning tools. They are-
1. OpenVAS
OpenVAS is a valuable tool for detecting vulnerabilities that endorses massive scale scans
that are appropriate for companies. This tool can be used not only in web applications or
application server, but also in databases, programming systems, networks, and virtualization
software to diagnose vulnerabilities problems.
OpenVAS provides frequent updates, which widens the exposure of vulnerability detection. It
also assists in assessing the risk and demonstrates preventive measures for the identified
vulnerabilities.
2. Nikto2
Nikto2 is a screening program for open-source exploits that emphasizes on web application
security. Nikto2 will discover about 6700 hazardous archives that cause web server problems
and evaluate iterations based on inaccurate servers. In addition, Nikto2 can immediately
notify you to server installation problems and improve virtual server audits in a minimal
amount of time.
Nikto2 might not offer any preventative measures for potential vulnerabilities that include
risk management functionality. Nikto2, after all, is a constant accessed tool that allows
vulnerabilities to be covered more broadly.
3. Netsparker
Netsparker is also a vulnerability assessment tool for web applications with an optimization
feature provided for vulnerability seeking. This tool is also smart enough to find
vulnerabilities within the next few hours in millions of web application domains.
It has many additional features, but it is a charged enterprise-level vulnerability tool. It has
slithering innovation that, through crawling into the system, discovers vulnerabilities.
Netsparker will identify and recommend mitigation strategies for vulnerabilities reported.
Also, security tools are available for comprehensive vulnerability evaluation.
4. Acunetix
Acunetix is a commercial (open-source edition also obtainable) web application vulnerability
scanner with several features offered. With the help of this tool, there is a mapping range of
about 6500 vulnerabilities. It can also discover network vulnerabilities as well, in additament
to web services.
Acunetix offers the opportunity for your scan to be streamlined. It is suitable for large-scale
organizations because several systems can be controlled by it. HSBC, NASA, USA air force
are few industrial titans that use the Arachni scanning tool for vulnerability testing.
5. Arachni
For application development, Arachni is also a deeply committed vulnerability tool. A
number of vulnerabilities are protected by this tool and are inspected periodically. Arachni
offers risk management services and recommends suggestions and defensive measures for
vulnerabilities that have been identified.
Linux, Windows, and macOS are supported by Arachni, a freely used and open-source
security vulnerabilities tool. With its capacity to adapt with recently discovered
vulnerabilities, Arachni also aims to assist in penetration testing.
6. Nmap
Among many cybersecurity experts, Nmap is one of the possibly the best-known, freely used
and open-source testing tools for networks. To explore hosts in the domain and for software
exploration, Nmap uses the penetrating technique.
In two or more distinct networks, this function aims to detect exploits. If you really are a
beginner or trying to learn to search for vulnerabilities, then the Nmap scanning tool is a great
starting point.
7. W3AF
W3AF is a platform also called Web Software Attack and Framework, open and free-source.
This software is an open-source web application analysis for vulnerabilities. By identifying
and evaluating the bugs, it provides a mechanism that is useful to protect the web application.
This software is recognized for user-friendliness. W3AF also has infiltration services used for
vulnerability assessment work, along with penetration testing options.
W3AF contains a broad-scale set of vulnerabilities. This tool can be selected for networks
that are attacked repeatedly, particularly with previously unrecognized vulnerabilities.
8. GoLismero
GoLismero is a tool used for intrusion prevention that is free and open-source. GoLismero
aims to identify web application threats and vulnerabilities, but can also search for network
vulnerabilities. GoLismero is an efficient tool that works with outcomes obtained by other
vulnerability tools such as OpenVAS, then consolidates the findings and gives feedback.
A broad variety of vulnerabilities, including storage and network vulnerabilities, are protected
by GoLismero. GoLismero also supports preventative measures for discovered
vulnerabilities.
9. Intruder
The Intruder is a paid vulnerability scanner explicitly designed for cloud-based storage
scanning. Immediately after a vulnerability is released, intruder software begins to search.
The scanning mechanism in Intruder is automated and constantly monitors for vulnerabilities.
Since it can sustain many equipment, Intruder is appropriate for enterprise-level intrusion
detection. In contrast to cloud-based testing, Intruder can help to identify network
vulnerabilities and also provide feedback and recommendations on efficiency.
10. OpenSCAP
OpenSCAP is an application of tools that help search for vulnerabilities, analyze
vulnerabilities, calculate vulnerabilities, and build protection measures. OpenSCAP is a
platform developed by groups that are free and open source. Only the Linux operating system
supports OpenSCAP.
The OpenSCAP platform supports web apps, web-based applications, databases, operating
systems, networks, and virtualization software for vulnerability scanning. In addition, it
provides a risk evaluation service and endorses to counterbalance the threats.
11. Aircrack
Aircrack, also called Aircrack-NG, is a series of software used to test the security of the
wireless network. These tools may be used to inspect networks and enable different operating
systems, such as Linux, OS X, Solaris, NetBSD, Windows, and much more.
The tool will concentrate on several areas of Wi-Fi privacy, such as traffic and data
management, driver and card screening, hacking, attack response, etc. By collecting the data
packets, this method helps you to recover the missing keys.
12. Comodo HackerProof
You are able to minimize network downtime with Comodo Hackerproof, conduct regular
intrusion detection, and use the integrated PCI scanning tools. The drive-by detection and
mitigation feature can also be used, and you can create valuable trust with your guests. Many
organizations will turn more tourists into customers, thanks to the advantage of Comodo
Hackerproof.
When purchasing a product with the business, customers appear to feel better, and you should
consider that this drives up your sales. You'll enjoy a new level of protection with the patent-
pending tracking technology, SiteInspector.
13. MBSA (Microsoft Baseline Security Analyzer)
It is a completely independent vulnerability analyzer developed by Microsoft used to search
for vulnerabilities on the Windows server or Windows device. There are many exotic features
in the Microsoft Baseline Security Analyzer, such as scanning of the core network frames,
searching for security patches and other Windows updates, and much more. It is a helpful
platform for Windows users.
It's important in helping you find missed upgrades or fixes for protection. To install new
security patches on the system, use the tool. Small to medium-sized organizations render the
software most valuable, and with its capabilities, it may save the security of the organization's
money. To fix the bugs which the tool detects, you would not need to consult a security
specialist.
14. Nexpose
Nexpose is an open-source platform that can be used without any cost. For security
assessments, intelligence analysts frequently use this method. Credit goes to the Github
network, all the latest vulnerabilities are included in the Nexpose repository. With the
Metasploit System, people can use this tool and also can focus on it to provide a thorough
scan of your web service. Different sections will be taken into consideration before producing
the report.
Vulnerabilities are graded as per their level of risk by the instrument and rated from minimum
to maximum. It will scan new apps, so the entire network is secured. Every week, Nexpose is
modified so you know it and can find the new threats.
15. Retina CS Community
Retina CS Community is a web-based open-source dashboard that allows you to build a more
structured and streamlined framework for risk mitigation. Retina CS Group has functions
such as compliance monitoring, reconfiguring, and compliance with configuration, and you
can do a multi-platform vulnerability evaluation just because of this.
If it comes to maintaining network security, the tool is incredible for minimizing time,
expense, and determination. For DBs, web apps, workspaces, and servers, it provides an
automated vulnerability scanning. With items such as virtual app screening and vCenter
implementation, companies and organizations can get full support for virtual worlds.
16. SolarWinds Network Configuration Manager
Users have continuously received glowing ratings from SolarWinds configuration
management. The vulnerability evaluation tool provides a particular form of insecurity that
most other strategies do not fix, such as malfunctioning network infrastructure. It places it
apart from the rest with this function. The predominant usefulness is the verification of
network equipment implementations for inconsistencies as a vulnerability assessment tool.
To exploit vulnerabilities in the cisco routers, it consolidates with the National Vulnerability
Database and has access to the latest CVE's. Any Cisco program running ASA, IOS, or Nexus
OS can operate with it.
17. Nessus Professional
Nessus, developed by Tenable Network Security, is an emblazoned and copyrighted
vulnerability scanner. Nessus can stop attacker attempts on the networks, and it check
vulnerabilities that allow sensitive information to be hacked remotely.
The tool provides a wide variety of cloud infrastructure, digital and physical networks,
including OS, DBs, programs, and many other tools. Nessus is trusted by millions of
customers for their vulnerability assessment and configuration problems.
Network Security with Vulnerability Assessment
When an attack begins by altering the structure of the system network, the tools will be able
to detect and prevent it. They facilitate you with environmental regulations with their ability
to spot out-of-process shifts, compliance modifications, and even appropriate deficiencies.
You must follow a predetermined method, like the one illustrated below, to execute a
vulnerability assessment. There are four phases to the vulnerability scanning
process: scanning, assessment, analysis and remediation. Each of these are discussed below.

1. Vulnerability Identification (Scanning)

The goal of this phase is to formulate a detailed list of the vulnerabilities of a program.
Cybersecurity experts test and assess the security performance of databases, repositories or
other structures by testing them with automated software. To determine safety vulnerabilities,
analysts often depend on vulnerability databases, manufacturer vulnerability notifications,
wealth management systems, and threat detection feeds.
2. Analysis
The aim of this phase is to determine the cause and root cause of the established
vulnerabilities in level one.
It includes the description and the root cause of the insecurity of sensing devices essential for
the vulnerabilities. For instance, a previous version of a free software repository might be the
root cause of a vulnerability. This offers a straightforward direction for updating the library
for remediation.
3. Risk Assessment
Prioritization of exploits is the purpose of this stage. It implies security analysts granting each
vulnerability a rank or intensity ranking, predicated on such considerations as:
1. The systems that are influenced.
2. What data is at risk.
 3. Which are at risk for business activities.
4. Attack or surrender convenience.
5. The Severity of an assault.
6. Additional damage from the security vulnerabilities as a consequence.
4. Remediation
The purpose of this move is to close security loopholes. It's usually a collaborative effort
between security personnel, management and operations leaders, who decide the most
appropriate route for abatement or containment of each vulnerability.
Specific steps for remediation can include:
1. Identification of new methodologies, initiatives or tools for security.
2. Reviewing of alterations to functional or configuration.
3. Advancement of a security vulnerabilities bug fix and deployment.
You can follow a predetermined method, as the one illustrated below, to execute a
vulnerability assessment.
Step 1: Start the process by recording, determining what resources to use, and obtaining the
appropriate stakeholder approval.
Step 2: Conduct vulnerability scanning using the required instruments. Make sure all the
outputs of those vulnerability tools are saved.
Step 3: Analyze the output and determine which vulnerabilities may be a possible threat. The
risks can also be prioritized, and a plan to minimize them can be identified.
Step 4: Ensure that you log all the findings and compile stakeholder reports.
Advantages of Vulnerability Assessment
The screening of vulnerabilities ensures devices safety from external threats. Some
advantages of vulnerability scanning are given below:
o Inexpensive- Many security software are available for free online.
o Rapid- Evaluation takes a couple of hours to execute.
o Streamline- It also can use the advanced features available in the security tools to
routinely conduct scans without manual participation.
o Achievement- Almost all possibly best-known vulnerability scans are performed by
vulnerability scanners.
o Cost / Benefit- The optimization of security risks decreases costs and improves
benefits.
 4.3.Types of Penetration Tests

Penetration testing (pentesting), is a cybersecurity technique used by organizations to

identify and remediate security vulnerabilities. Organizations hire ethical hackers to imitate
the tactics and behaviors of external attacks. This makes it possible to evaluate their potential
to compromise computer systems, networks, or web applications.
Organizations also use penetration testing to ensure compliance—some compliance
standards and regulations require a penetration test to prove that the organization’s systems
are secure.
1.External Testing
2. Web Application Testing
3. Internal Penetration Testing
4. Wireless Testing
5.Moblie Application Testing

1.External Testing
An external penetration test is a type of security assessment that can evaluate the
resiliency of your organization's network perimeter. It's widely considered to be one of the
first types of assessments that most organizations will go through, as most are concerned with
tackling their Internet-facing weaknesses first.
 Open Source Reconnaissance – We’ll use publicly available resources to try and
uncover sensitive information, such as types of technology used by the organization
or potential usernames, that can be used in the later phases of testing.
 Full Port Scan – In order to footprint an organization’s external perimeter, a port scan
is used to understand which services are exposed and accepting inbound connections.
These scans will take a look at all 65,535 TCP ports and the top 1000 most popular
UDP ports.
 Vulnerability Scan – Where some assessments would center around a vulnerability
scan, this is really just the beginning of an external penetration test. We use a
vulnerability scan to speed up the identification process for some “low-hanging fruit”
types of issues and exploitable weaknesses that could lead to a more significant
compromise.
 Unauthenticated Web Application Penetration Testing – We’ve explained before
that an external penetration test includes some aspects of web application penetration
testing. That portion is whatever an attacker can see and do from a blackbox
perspective, meaning we won’t be provided with valid credentials to log into
discovered applications (unless we can find them ourselves).
  Manual and Automated Exploit Attempts – This is really the bread and butter of an
external penetration test, and the most important part of the assessment. It’s hard to
completely cover everything that can happen during this portion of the attack, but it
includes looking for vulnerabilities that automated scans can’t find, exploiting issues
scans did find, understanding the risks associated with identified vulnerabilities, and
noting any mitigating controls.
 Password Attacks – Another important portion of external penetration testing are the
opportunities for password attacks. These styles of attacks aim to use open source
intelligence gathered and noted vulnerabilities, combining them in a way that makes
password attacks more likely to succeed while avoiding protections in place. These
attacks can help you understand shortcomings in password policies, account lockouts,
and multi-factor authentication schemes.

2. Web Application Testing

Web application penetration testing involves performing a simulated attack on a web
app to determine weaknesses that hackers can exploit. The testing process uses emulations of
real-world attacks to identify hidden attacks such as SQL injection, cross-site scripting
(XSS), or cross-site request forgery (CSRF).
Data breaches like this can severely damage your brand’s reputation and put company
and customer data at risk. Web application penetration testing solves this problem by
identifying vulnerabilities before hackers exploit them.
Web application penetration testing is a simulated cyberattack that systematically
examines your web application’s infrastructure, design, and configurations to identify,
analyze, prioritize, and mitigate vulnerabilities such as XSS attacks, SQL injections, and
business logic bugs, that could potentially lead to unauthorized access or data breaches.
Process of Web Application Penetration Testing
1. Planning Phase
A web app pentest is begun by defining the pentest scope, timeline, and people involved. The
customer company and our team of pentesting experts decide on the scope together.
Some considerations in this stage are which application pages need to be tested and whether
to perform internal, external, or both testing. Defining the timeline for the whole process in
this step is also crucial.
2. Reconnaissance
During the reconnaissance phase, our pentesters gather as much information as possible about
the target web application and its environment. This helps tailor the testing process and
identify potential weaknesses. We also perform port scanning, service identification,
vulnerability assessment, and other tasks in this testing phase.
Step 1: We begin by passively collecting publicly available information about the target using
methods such as DNS enumeration to find hidden functions and web scraping to extract
information about the application.
Step 2: Our experts then move into the active reconnaissance phase, where they interact with
the application to reveal weak entry points using port scanning and crawl through it to
understand its functionality in detail.
Key Tools Used During Reconnaissance:
 Astra Pentest: Our pentest plans boast features like web scraping, port scanning, and
scan-behind-login, while our intelligent vulnerability scanner conducts an in-depth
survey of the target before the pentesting process begins.
 Nmap: Nmap is a network scanner that discovers open ports, services running on
those ports, and the operating system of the target system.
 DNS Enumeration Tools: Tools like GoBuster, Aquatone, or Subfinder help identify
subdomains associated with the main domain. This can expose hidden functionalities
or administrative interfaces.
 Web Scraping Tools: Tools like Scrapy or theHarvester can be used to obtain
information about the application’s technologies, URLs, and potential API endpoints.
3. Vulnerability Scanning
Astra’s Vulnerability Scanner
Now that we have the reconnaissance data, the next step involves using automated tools to
scan for known vulnerabilities. These tools compare the application against Common
Vulnerabilities and Exposures (CVEs) databases and identify potential weaknesses in code,
configuration, or dependencies.
Key Tools Used During Vulnerability Scanning:
 Open-Source Scanners: Kali or Nikto are popular open-source vulnerability scanners
that can identify various vulnerabilities specific to web applications, such as SQL
injection and Cross-Site Scripting (XSS).
 Commercial Scanners: Scanners like Astra Pentest offer additional features like
detailed reporting, integration with other security tools, remediation guidance, and a
zero false positives guarantee for vetted scans.
4. Exploitation (Pentesting)

While vulnerability scanners provide a great starting point for penetration testing, manual
exploitation is crucial to identifying more complex vulnerabilities and misconfigurations.
This is an essential part of the penetration testing process, where our pentesters manually
exploit the target system to find business logic vulnerabilities, look for unique attack vectors
of vulnerabilities that could be very harmful when combined, and identify each
vulnerability’s critical rating.
Exploitation aims not to cause damage but to understand the potential consequences of a
successful real-world attack. This allows the organization to prioritize remediation efforts
accordingly.
Exploitation involves using various tools and techniques to gain unauthorized access to the
system, steal data, or disrupt operations.
Examples:
The information gathered during recon and scanning helps us plan and execute exploitation
attempts. For example, an identified SQL injection vulnerability in a search form might be
exploited using a tool like SQLmap to extract sensitive data from the database.
We then attempt to chain vulnerabilities together to achieve a more significant impact. For
instance, a directory traversal vulnerability could be combined with a code injection flaw to
upload a malicious web shell and gain remote access to the server.
Key Tools Used During Exploitation:
 Exploit Frameworks: Frameworks like Metasploit provide pre-built modules that can
be used to exploit specific vulnerabilities. However, these tools require a deep
understanding of the vulnerability and customization for the target application.
 Custom Scripts: For zero-day vulnerabilities or those not covered by existing tools,
pentesters may develop custom scripts to exploit the vulnerability. Reputable pentest
service providers constantly update their tests to account for this.
 Password Cracking Tools: Tools like JohnTheRipper can be used to crack hashed
passwords obtained during the test if password spraying or other techniques fail to
gain access.
5. Reporting and Remediation

Once the exploitation phase is complete, our team will provide a detailed report illustrating
all the findings. This report should include:
 A description of each vulnerability identified.
 The severity of the vulnerability (based on CVSS scoring or other metrics).
 The potential impact of exploiting the vulnerability.
  Step-by-step instructions on reproducing the vulnerability (for internal remediation
teams).
Tools are Used for Web Application Pen Testing
 Astra Pentest
 Acunetix
 HackerOne
 Burp Suite
 Browser’s Developer Tools
 NMap
 Zenmap
 ReconDog
 Nikto

3 Internal Penetration Testing

Internal penetration testing involves simulating an attack from an insider. It consists in

analyzing the network infrastructure for vulnerabilities, evaluating access controls
within the infrastructure, and testing the security controls of applications and
databases.

Internal Pentest is the act of assessing the security of your infrastructure by

attempting to breach it. This can be done by an external party or by an internal party.
An internal party will typically be someone who is already working for your
company. An external party may be hired through an external company.
The reason for performing an Internal pentest is to determine what an attacker could
achieve with initial access to your network. Typically, an external party obtains this
first access and then uses it to gain access to your internal network. The results of
your internal penetration test will be used to create a baseline of your network.

1. Information Gathering: Collect as much information about target systems or

networks to perform further penetration tests.
2. Discovery Phase: Information gathered to discover vulnerabilities on the target using
automated scanning tools.
3. Exploitation: This is where the hacker uses any vulnerabilities previously identified
during the reconnaissance phase.
4. Reporting: The report is usually presented to the management or the IT department
of the company to take mitigative action for the vulnerabilities found and exploited.
An internal pentest is designed to simulate the actions of a real attack. It’s an attack
performed by an insider or someone who has initial access to the network. This attack
is often referred to as an Advanced Persistent Threat (APT) attack.
 An internal pentest, however, isn’t limited to APT testing. There are many other
reasons why you might want to do an internal penetration test. For example, if you
have a malicious insider or an employee leaves the company, you should be prepared
for them to take company data with them.
The purpose is to find the security gaps in your network before an attacker can
discover them, giving you time to develop a plan to fix the problem before you are
compromised.
Several companies have internal teams known as red and blue teams. These teams can
include both software developers and security specialists. The Red Team will attempt
to find security flaws and weaknesses in the system, and the Blue Team will guard the
system and protect it from attacks. Both teams will work together to improve the
system and provide better security against attacks.
Benefits of Internal Pentest
Today, most businesses are improving their defenses against outside threats, but they
forget that 49% of cyber attacks come from within.
An internal breach into your business can be much more devastating than an outside
threat because users don’t expect the people they trust to do them harm. This is why
internal penetration testing is becoming more popular.
Internal penetration testing involves simulating an attack from an insider. It consists in
analyzing the network infrastructure for vulnerabilities, evaluating access controls
within the infrastructure, and testing the security controls of applications and
databases.
Some other benefits of performing internal pentest are:
 Find Internal vulnerabilities
 Uncover internal or insider threats
 Thorough & Extensive testing
 Save the cost of a data breach
 Helps in achieving compliance
Internal Penetration Testing Steps
Internal pentest or Internal Penetration testing can be broken down into three main
steps:
1. Information Gathering
Information Gathering is the first phase of penetration testing; it’s about collecting as
much information about target systems or networks to perform further penetration
tests.
Information Gathering is an important phase of penetration testing. If the information
gathering is not done correctly, it can lead to information loss, which will result in the
penetration tester performing the penetration testing again.
2. Discovery Phase
In the Discovery phase, the Penetration Tester uses the information gathered in
Reconnaissance to discover vulnerabilities on the target. Penetration testers use
various automation tools to perform automated scans.
The information gathered in the Reconnaissance phase is the foundation of any
subsequent attacks and is used as a starting point for the Discovery phase.
3. Exploitation
The third phase in the hacking process is the exploitation phase. This is where the
hacker makes use of any vulnerabilities that were previously identified during the
reconnaissance phase.
The goal of this phase is to gain access to the target system. If the hacker can gain
access to the target system, they can then take control of the system and use it for their
purposes.
4. Reporting
The reporting phase of penetration testing is an essential step in the entire penetration
testing process, which helps you understand your network’s security posture.
The report is usually presented to the management or the IT department of the
company. Its main goal is to help the company (or the IT department) make the right
decisions to fix the security problems detected during the penetration testing, improve
the overall security of the assets, and better the company’s cyber security posture.

4 Wireless Testing

Wireless penetration testing is a systematic approach to evaluating the security of

wireless networks. It involves simulating the tactics and techniques that malicious
hackers might employ to exploit vulnerabilities in your wireless infrastructure.